EU Automotive & Manufacturing B2B: Commerce Under the Cyber Resilience Act
Key Takeaways
EU automotive and manufacturing supply chains face a new compliance reality: the Cyber Resilience Act (CRA), which entered into force in December 2024 with main obligations applying from December 2027, mandates that all products with digital elements must be designed, developed, and maintained with cybersecurity embedded from the start.
The CRA applies to every manufacturer, distributor, and importer placing digital products on the EU market — which includes automotive components with embedded software, industrial equipment, and manufacturing procurement platforms themselves.
For B2B automotive and manufacturing marketplaces, CRA compliance means full control over the supply chain, complete visibility into the software bill of materials (SBOM), and the ability to prove security-by-design to both customers and regulators.
SaaS platforms, which are multi-vendor systems with embedded third-party components and dependencies, cannot provide this visibility or control.
Self-hosted platforms deployed on EU sovereign infrastructure — combined with NIS2 compliance for critical infrastructure operators — are the only architecturally viable path for EU manufacturing commerce.
This guide covers the regulatory environment governing EU automotive and manufacturing B2B commerce, the specific compliance gaps in SaaS platforms, and how to architect a procurement platform that satisfies the Cyber Resilience Act, NIS2, and GDPR simultaneously.
Last verified: March 2026
Why Does EU Automotive & Manufacturing Commerce Differ?
The EU automotive aftermarket is worth an estimated EUR 120+ billion annually. The broader EU manufacturing supply chain (component distribution, MRO, industrial equipment) operates at even larger scale. The EU has historically been a leader in advanced manufacturing — precision tooling, automotive components, industrial machinery. The digital transformation of B2B supply chains is critical to maintaining competitiveness against US and Asian manufacturers.
EU manufacturing is undergoing a fundamental regulatory shift. The Cyber Resilience Act entered into force December 10, 2024, and expands the definition of “products with digital elements” to include automotive components with embedded software, industrial equipment with connectivity, and manufacturing software platforms.
The CRA applies not just to product manufacturers but to distributors and importers. For B2B manufacturing or automotive marketplaces, the CRA treats the platform itself as a digital product requiring that cybersecurity be built into design and maintained throughout its lifecycle.
Combined with NIS2 (the Network and Information Systems Directive) for critical infrastructure operators and GDPR for multi-country operations, EU manufacturing commerce requires platform architecture with full control over security-by-design, supply chain transparency, and regulatory auditability.
Choosing the wrong platform carries legal exposure. Manufacturers who distribute components through CRA-violating SaaS platforms face fines up to EUR 15 million. Critical infrastructure operators using non-compliant platforms face fines up to EUR 10 million. For EU manufacturing enterprises, these are not abstract risks. They are material business risks that directly affect platform choice.
For a full overview of EU regulations affecting commerce (Cyber Resilience Act, NIS2, GDPR, and regional compliance frameworks), see our EU eCommerce Compliance Environment 2026 (coming soon).
What Regulations Govern EU Automotive & Manufacturing B2B Commerce?
EU manufacturing commerce operates under a layered regulatory framework. Cybersecurity-by-design (Cyber Resilience Act), critical infrastructure protection (NIS2), and data protection (GDPR) create overlapping requirements that vary slightly by member state.
| Regulation | Jurisdiction | What It Means for Manufacturing B2B Commerce | Impact |
|---|---|---|---|
| Cyber Resilience Act (CRA) | EU | All products with digital elements must be designed, developed, and maintained with security-by-design. Distributors/importers must ensure products meet CRA requirements. Main obligations apply Dec 11, 2027. | 🔴 Critical |
| NIS2 (Network & Information Systems Directive) | EU | Critical infrastructure operators (including automotive suppliers above certain thresholds) must implement security measures, report vulnerabilities, and maintain incident response. | 🟡 Moderate (if NIS2 entity) |
| GDPR | EU | Customer/supplier data must be EU-resident, subject to consent, and portable on demand. Multi-country data flows must comply with Standard Contractual Clauses or adequacy decisions. | 🔴 Critical |
| UNECE WP.29 (UN Regulations on vehicles) | EU + Global | Automotive cybersecurity and software update requirements for connected vehicles. Applies to vehicle manufacturers and supply chain. | 🟡 Moderate |
| Directive 2014/34/EU (ATEX) | EU | Equipment used in explosive atmospheres must meet specific standards. Applies to manufacturing equipment in certain sectors. | 🟡 Moderate (sector-specific) |
The Cyber Resilience Act is the primary gate for EU manufacturing in 2027. The CRA applies to all manufacturers placing products with digital elements on the EU market, regardless of origin. “Digital elements” includes automotive components with embedded software (brake systems, door locks, infotainment), industrial equipment with connectivity (robots, PLC-controlled machinery), and manufacturing platforms (procurement software, supply chain systems).
The CRA requires cybersecurity measures throughout the product lifecycle: planning, design, development, testing, deployment, maintenance, and end-of-life. For B2B marketplaces, the platform vendor must prove that cybersecurity is embedded in development, vulnerabilities are patched, and the software bill of materials (SBOM) is documented and auditable. Learn more about the Cyber Resilience Act from the European Commission.
Main CRA obligations apply December 11, 2027. Non-compliance carries fines up to EUR 15 million (or 2.5% of global turnover). Reporting obligations begin September 11, 2026.
NIS2 applies to critical infrastructure operators. While NIS2 is technically a separate directive from the CRA, it overlaps significantly. NIS2 defines “critical infrastructure” broadly and includes operators in sectors like energy, water, healthcare, and transportation. Some automotive and manufacturing supply chain operators (particularly Tier-1 automotive suppliers serving multiple OEMs) meet NIS2 critical infrastructure thresholds and must implement NIS2 security measures. NIS2 requirements include governance, risk management, incident response, supply chain risk management, and incident reporting to national cybersecurity authorities.
GDPR continues as the foundational data regulation. All EU customer and supplier data must remain in EU data centers, be subject to consent, and be portable on demand. Multi-country operations (operating in multiple EU member states) require that data flows between countries comply with GDPR adequacy decisions and Standard Contractual Clauses.
Can SaaS Platforms Meet EU Manufacturing Compliance Requirements?
EU manufacturing enterprises face a structural incompatibility. CRA requirements (security-by-design with documented SBOM and vulnerability management) conflict with SaaS platform architecture (multi-vendor, third-party dependencies, limited transparency).
The CRA-SaaS incompatibility
The Cyber Resilience Act requires that manufacturers document and prove security-by-design throughout the product lifecycle. For a SaaS platform, proving security-by-design is structurally difficult because the platform depends on multiple third-party vendors and services:
- The cloud infrastructure vendor (AWS, Azure, Google Cloud) has its own security posture and vulnerability management process.
- The eCommerce platform vendor (Shopify, BigCommerce) depends on open source libraries and frameworks (Node.js, React) with their own patch cycles.
- Payment processors integrate via APIs, each with their own security requirements.
- CDNs and DDoS mitigation services add additional vendor dependencies.
- Email services, analytics platforms, and marketing automation integrate via plugins.
A manufacturing enterprise using a SaaS platform cannot produce a complete, auditable software bill of materials. The platform vendor controls the SBOM, not the customer. When a vulnerability is discovered in a third-party library (critical npm flaw, for example), the SaaS platform patches it on its own timeline, and the customer has no control. If the patch breaks functionality, the customer has no recourse.
For CRA-audited manufacturing enterprises, this lack of control is a compliance gap. Regulators ask: “Who is responsible for security? Who patches vulnerabilities? Who maintains the SBOM?” The answer is “the SaaS vendor,” which creates a chain-of-custody problem. The CRA explicitly requires that manufacturers maintain control over security-by-design.
The NIS2 supply chain audit burden
If a manufacturing B2B platform operator meets NIS2 thresholds (critical infrastructure), NIS2 requires detailed supply chain risk management. This means documenting the security posture of every third-party vendor, conducting risk assessments on dependencies, and maintaining incident response coordination.
For a SaaS platform, the audit burden multiplies. The operator must audit not just their own systems but every vendor dependency. This is operationally complex and costly. Self-hosted platforms allow manufacturing enterprises to maintain tighter supply chain visibility because they control the SBOM, infrastructure, and vendor relationships directly, enabling more efficient NIS2 audits.
The data residency and sovereignty gap
Manufacturing enterprises often operate across multiple EU member states. GDPR requires that customer and supplier data be EU-resident, but SaaS platforms often store EU data in US-based data centers.
Many EU manufacturing enterprises, particularly those in critical infrastructure or government-linked supply chains, prefer data to remain exclusively within EU jurisdiction. Standard Contractual Clauses theoretically allow US storage, but data sovereignty concerns are material.
“Data sovereignty” has become increasingly important to EU policymakers who are concerned about data residency and control.
Self-hosted platforms deployed on EU-only cloud provide full data sovereignty and comply with stricter EU data protection policy interpretations.
How platforms compare for EU manufacturing B2B
| EU Manufacturing Requirement | Shopify Plus | Salesforce CC | commercetools | Self-Hosted (Spree) |
|---|---|---|---|---|
| CRA security-by-design compliance | ❌ SaaS dependency | ❌ SaaS dependency | ❌ SaaS dependency | ✅ Full control — your SBOM, your patches |
| SBOM transparency | ❌ Vendor-controlled | ❌ Vendor-controlled | ⚠️ Limited transparency | ✅ Full SBOM — open source codebase |
| Vulnerability management | ❌ Vendor-dependent | ❌ Vendor-dependent | ❌ Vendor-dependent | ✅ Your control — patch on your timeline |
| NIS2 supply chain audit | ❌ Limited supplier visibility | ❌ Limited supplier visibility | ⚠️ Possible with custom audit | ✅ Direct control over supply chain |
| EU data residency (EU-only) | ❌ US-based storage | ❌ US-based storage | ⚠️ Regional options available | ✅ Deploy on EU-only cloud or on-prem |
| Data sovereignty (full EU control) | ❌ US vendor control | ❌ US vendor control | ⚠️ Possible with custom setup | ✅ All data under your jurisdiction |
| B2B marketplace / supplier network | ⚠️ Limited vendor management | ⚠️ Available | ⚠️ Possible with custom build | ✅ Native B2B + marketplace |
| Multi-country/multi-currency | ✅ Available | ✅ Available | ✅ Available | ✅ Native multi-store with per-country config |
| API transparency and auditability | ⚠️ Limited API docs | ⚠️ Limited API docs | ✅ Better API documentation | ✅ Full API + open source code |
The pattern is clear: SaaS platforms introduce vendor dependencies that undermine CRA compliance, limit SBOM transparency, and create data sovereignty gaps. Self-hosted platforms deployed on EU infrastructure with full source code control are the only architecturally compliant path for EU manufacturing B2B commerce under the Cyber Resilience Act.
What EU Manufacturing Commerce Actually Requires
EU manufacturing and automotive B2B platforms need a commerce system that combines multi-country sourcing, supplier management, and security-by-design architecture with full visibility into the supply chain and data sovereignty.
| Business Requirement | Why It Matters for EU Manufacturing B2B | Platform Capability Needed |
|---|---|---|
| B2B procurement / supplier marketplace | Automotive OEMs and Tier-1 suppliers source MRO parts, components, and services from a network of suppliers across EU; centralized platform reduces fragmentation | B2B module with supplier management, RFQ workflows, price lists, buyer organizations, and approval hierarchies |
| Multi-country / multi-currency operations | EU manufacturing supply chains span multiple member states, each with different tax rules, VAT regimes, and languages | Native multi-store with per-country tax configuration, currency conversion, and localization |
| Supplier compliance verification | Suppliers must meet ISO certifications (ISO 9001 quality, ISO 45001 safety), CRA readiness, and potentially NIS2 requirements | Vendor onboarding with document storage, certification tracking, and compliance verification workflows |
| CRA security-by-design proof | Manufacturers must prove that the platform they use meets CRA requirements (security-by-design, vulnerability management, SBOM documentation) | Full source code access, documented SBOM, vulnerability disclosure policy, and patch timeline transparency |
| Security-by-design in procurement | Suppliers must disclose SBOM and security practices for components sold; procurement platform must support this transparency | API for supplier security disclosure, SBOM upload/management, and security audit integration |
| NIS2 audit readiness | Critical infrastructure operators must demonstrate supply chain risk management and incident response; platform must provide audit logs | Immutable audit logging, incident reporting capabilities, and supply chain risk documentation |
| EU-only data residency | Data must remain in EU jurisdiction; no US-based data centers | Deployment on EU-only cloud (AWS Frankfurt, AWS Ireland, Azure EU) or on-premise EU data centers |
| Data portability and GDPR compliance | Customers/suppliers must be able to export their data; platform must support GDPR data subject rights | Full API export capability for supplier profiles, transactions, and compliance records |
Meeting these requirements on a generic SaaS platform means accepting vendor dependencies that undermine CRA compliance, maintaining separate compliance documentation systems, and hoping that the vendor’s security posture aligns with your obligations. A composable architecture (with B2B marketplace, multi-country management, supplier compliance verification, and immutable audit logging as built-in modules deployed on EU-only infrastructure) gives manufacturing enterprises full supply chain visibility and proof that the platform meets CRA security-by-design, NIS2, and GDPR requirements.
How Spree Enterprise Serves EU Manufacturing & Automotive B2B Commerce
Spree Enterprise addresses EU manufacturing commerce by combining B2B marketplace capabilities with transparent security architecture, EU-only deployment options, and detailed audit trails that satisfy CRA, NIS2, and GDPR requirements.
| EU Manufacturing Requirement | Spree Enterprise Feature | How It Works |
|---|---|---|
| B2B procurement / supplier marketplace | Native B2B module + marketplace | Suppliers register and list components, services, or MRO parts. Buyers (OEMs, Tier-1 primes) request quotes, place orders, and manage supplier relationships. RFQ workflows, approval hierarchies, and per-supplier pricing. |
| Multi-country / multi-currency operations | Native multi-store with per-country config | Create a store per EU member state. Each store has its own VAT rules, tax rates, currency, language, and compliance settings. Centralized inventory and order management across all stores. |
| Supplier compliance verification | Vendor onboarding with document management | Suppliers submit certifications (ISO 9001, ISO 45001, CRA security documentation). Verification workflows manage approvals. Compliance documents stored in audit-trailed system, accessible for audits. |
| CRA security-by-design proof | Open source (BSD 3-Clause) + documented SBOM | Full source code access — your security team audits the codebase. Documented SBOM of all dependencies. Published vulnerability disclosure policy. Transparent patch and update timeline. |
| Security-by-design disclosure | Supplier portal for SBOM and security documentation | Suppliers upload SBOMs and security practices (e.g., “ISO 27001 certified,” “vulnerability disclosure process”). Procurement team can verify and track supplier security posture. |
| NIS2 audit readiness | Immutable audit logging + supply chain documentation | All admin actions, API calls, and supplier interactions logged with user, timestamp, action type. Audit logs are tamper-proof and exportable for NIS2 audits. Supply chain risk documentation integrated. |
| EU-only data residency | Deployable on EU-only infrastructure | Deploy on AWS Frankfurt, AWS Ireland, Azure EU-West, or on-premise EU data centers. All customer and supplier data remains in EU jurisdiction. No US-based backups or failover. |
| GDPR data portability | Full API for data export | Suppliers and customers can request their data in portable format (JSON, CSV). Spree exports all transactions, compliance records, and profile data. |
Why Spree Enterprise specifically
Spree’s architecture gives EU manufacturing enterprises full control over security-by-design. The platform is open source, so your security team can audit the entire codebase, verify CRA compliance, and maintain confidence that it meets your regulatory obligations. The transparent SBOM and published vulnerability disclosure policy mean you can credibly assert to customers and regulators that the platform is designed with security in mind.
The native B2B module and marketplace capabilities allow manufacturing enterprises to build supplier procurement networks that span multiple EU member states, with per-country tax and compliance configuration. Spree handles multi-country complexity natively, eliminating the operational burden of managing separate platform instances per country.
Deployment on EU-only infrastructure (AWS Frankfurt, AWS Ireland, Azure EU) provides full data sovereignty and EU-only residency. All supplier data, order history, and compliance documentation remain in EU jurisdiction. No US-based SaaS vendor has implicit access to your supply chain data.
Immutable audit logging makes NIS2 audits straightforward. You can produce a complete, tamper-proof record of all supply chain activity, access to compliance documentation, and incident response actions. For critical infrastructure operators, this audit readiness is a material operational advantage.
Because Spree is self-hosted, you control the SBOM, patch timeline, and vulnerability management process. When a critical vulnerability is discovered, you can patch on your timeline and control the rollout without dependency on a vendor’s patch cycle.
What Architecture & Deployment Do EU Manufacturing Platforms Need?
EU manufacturing architecture must account for multi-country compliance, CRA security requirements, NIS2 audit readiness, and data sovereignty while maintaining high availability and supplier accessibility across geographic regions.
Hosting and data residency. EU manufacturing has explicit data residency requirements under GDPR and implicit data sovereignty expectations. The recommended deployment is EU-only cloud (AWS Frankfurt for central Europe, AWS Ireland for Western Europe, or both for pan-EU coverage) or on-premise EU data centers. Backups and disaster recovery must remain within EU jurisdiction. Government-linked suppliers and critical infrastructure operators often prefer on-premise EU data centers.
Multi-country B2B marketplace architecture. The recommended deployment for EU manufacturing is Spree’s multi-store module with one store per EU member state. Each store has its own VAT/tax configuration, currency, language, and supplier/buyer organization settings. Central inventory management means suppliers maintain one product listing (with descriptions in multiple languages) that is sold through all EU storefronts. Order management and fulfillment are centralized, but each country’s regulatory requirements (tax, compliance, language) are isolated per store.
Supplier compliance and CRA readiness. The procurement architecture includes supplier onboarding workflows where suppliers submit compliance documentation (ISO certifications, SBOMs, security disclosures). Verification workflows manage approvals and flag suppliers that have not met CRA requirements or security standards. The audit-trailed system maintains a complete record of supplier compliance status, certification expiry dates, and security disclosures — auditable on demand by EU regulators or procurement auditors.
Security and audit architecture. CRA and NIS2 compliance requires immutable audit logging with tamper-proof records of all system activity: supplier onboarding, order processing, compliance documentation uploads, and any data access. Logs are retained for the required period (typically 3+ years) and are read-only. Export mechanisms allow production of compliance reports in formats required for CRA and NIS2 audits.
Integration architecture. Critical integration points for EU manufacturing are: ERP systems (SAP, Oracle for financial consolidation across EU subsidiaries), supplier identity verification (TaxID verification, ISO certification databases), supply chain management systems (for inventory and order synchronization), and potentially government procurement systems (EU eTendering platforms for public sector contracts).
EU Automotive & Manufacturing Compliance Resources
For detailed compliance guidance on the regulations affecting EU manufacturing commerce:
| Regulation | Scope | What It Means for Manufacturing | Full Guide |
|---|---|---|---|
| Cyber Resilience Act | EU (product security) | All products with digital elements must be designed, developed, and maintained with security-by-design. Main obligations Dec 11, 2027. | Full CRA Compliance Guide (coming soon) |
| NIS2 | EU (critical infrastructure) | Operators in critical sectors must implement security measures and report vulnerabilities. Supply chain risk management required. | Full NIS2 Compliance Guide (coming soon) |
| GDPR | EU (data protection) | Customer and supplier data must be EU-resident, subject to consent, and portable. Multi-country data flows require adequacy or SCCs. | → Full GDPR Compliance Guide |
For related industry deep dives:
- → Defense Procurement Marketplaces: Building ITAR-Compliant B2B Commerce — similar B2B marketplace and sovereign infrastructure patterns
- Energy Trading & Carbon Credit Marketplaces (coming soon) — similar multi-jurisdictional and compliance audit patterns
For regional compliance overviews:
- EU eCommerce Compliance Environment 2026 (coming soon)
Build EU Automotive & Manufacturing Commerce with Spree
Spree Enterprise gives EU manufacturing enterprises a composable B2B marketplace that combines multi-country supplier procurement, compliance verification, and immutable audit logging on EU-only infrastructure.
Whether you are building a new multi-country supplier marketplace, consolidating fragmented procurement across EU operations, or migrating off a non-compliant SaaS platform, the Spree team can help you scope the right architecture for EU manufacturing commerce that satisfies the Cyber Resilience Act, NIS2, and GDPR requirements.
Frequently Asked Questions
What ecommerce platform should EU automotive and manufacturing B2B use?
Self-hosted platforms with transparent security architecture (open source), EU-only deployment options, and detailed audit logging are the only viable choice for CRA-compliant EU manufacturing commerce. Mainstream SaaS platforms (Shopify, BigCommerce, Salesforce Commerce Cloud) introduce vendor dependencies that undermine CRA security-by-design compliance, do not provide full SBOM transparency, and store EU data in US-based systems. Self-hosted platforms like Spree Enterprise deployed on EU-only infrastructure give manufacturing enterprises full control over the supply chain and visible proof that the platform meets CRA requirements.
What is the Cyber Resilience Act and how does it apply to my B2B platform?
The Cyber Resilience Act (CRA) entered into force December 2024, with main obligations applying December 2027. The CRA requires that all products with digital elements be designed, developed, and maintained with security embedded from the start. For a B2B manufacturing or automotive marketplace, the CRA treats the platform itself as a digital product requiring that cybersecurity be built into design, development, and maintenance processes. You must document your security practices, maintain a software bill of materials (SBOM), and prove that vulnerabilities are identified and patched. SaaS platforms cannot meet this requirement because the vendor controls the SBOM and patch process. Self-hosted platforms allow you to maintain full control over the SBOM and prove to regulators that security-by-design is embedded in the platform.
What does “security-by-design” mean under the CRA?
Security-by-design means that cybersecurity is embedded throughout the product’s lifecycle: planning, design, development, testing, deployment, and maintenance. For B2B platforms, the vendor must document each phase and prove that security is integral to every development decision, not an afterthought. Open source platforms allow customers to audit the code and verify that security-by-design principles are followed. SaaS platforms cannot provide this transparency.
How do I achieve EU data residency and data sovereignty?
GDPR requires that customer and supplier data be EU-resident (stored in EU data centers). Data sovereignty means that data remains under your full control and is not accessed by US-based vendors or stored in US-based systems. Self-hosted platforms like Spree can be deployed on EU-only cloud (AWS Frankfurt, AWS Ireland, or Azure EU-West) or on-premise EU data centers. All backup, disaster recovery, and failover infrastructure remain within EU jurisdiction. SaaS platforms typically store data in US-based systems, which violates strict data sovereignty requirements.
What does NIS2 compliance mean for manufacturing B2B platforms?
NIS2 (Network and Information Systems Directive 2) applies to critical infrastructure operators in sectors like energy, water, transportation, and manufacturing. If your manufacturing organization meets NIS2 thresholds (typically based on employee count and market impact), you must implement detailed security measures, report vulnerabilities to national authorities, and maintain supply chain risk management. For a B2B platform, NIS2 compliance requires immutable audit logging, incident response procedures, and documentation of all third-party dependencies. Self-hosted platforms with detailed audit trails and transparent supply chain dependencies are easier to audit under NIS2 than SaaS platforms with vendor dependencies.
How much does EU manufacturing B2B commerce cost?
EU automotive and manufacturing B2B commerce on Spree Enterprise typically costs EUR 75,000–EUR 200,000 in first-year investment for a multi-country operation, depending on scale, country count, and supplier integration complexity. Costs include platform licensing, EU cloud infrastructure (or on-prem data center setup), multi-country compliance configuration, and supplier onboarding. Ongoing costs are primarily infrastructure and maintenance. SaaS platforms reduce upfront costs but introduce long-term vendor lock-in, data sovereignty concerns, and CRA compliance gaps that require additional remediation. Self-hosted platforms provide lower TCO over time because you own the infrastructure and avoid vendor audit overhead.
